Re: [squid-users] File extension blocking rules

From: Odhiambo WASHINGTON <[email protected]>
Date: Thu, 18 May 2006 15:45:24 +0300

* On 18/05/06 09:37 -0300, "Lu�s Fernando C. Talora" wrote:
| Fellows,
|
| To protect dummy users against themselves, I�ve put a few rules on my
| Squid server to prevent them on downloading some potentially dangerous
| files by its extensions, such as .exe, .zip, .bat, .scr, and so on. Part
| of the "regex" files for those rules follow:
|
| \.com$
| \.scr$
| \.bat$
| \.pif$
| (...)
|
| However, an user recieved a mail message with a link to some "virtual
| card" (witch was, indeed, some kind of trojan) and I�ve noticed that
| Squid allowed the user to download the file. The link follows:
|
|
| http://www.mikes.educv.ro/albums/cartao.scr?4d325356ae47122a6e7b8f1f07cae26d
|
| It is quite impressive how the bad guys create ways to bypass the
| proxy... If the URL do not end with the ".xxx", the rule is easily
| bypassed. So I�ve tried the following:
|
| \.scr[\?\&]?.*
|
| It worked, but too many pages were blocked by mistake. Then I�ve thought
| on this:
|
| \.scr$
| \.scr[\?\&]
|
| It probably works, but I didn�t try it, but I doesn�t seem to be the
| best way to do it (I would need to create to lines for each blocked
| extension). My question is: is there an easier way to do that? I mean, a
| single rule that work in both cases (the file extension followed by the
| "?" - ou the "&" - in the meedle of the URL or in the end of URL).

It's time to integrate a true content filter, like Dansguardian[1],
which will (when integrated with an Anti-virus) do real scanning of
all content. Squid can then do what is was born for - caching/proxying.

[1] http://www.dansguardian.org

-Wash

http://www.netmeister.org/news/learn2quote.html

DISCLAIMER: See http://www.wananchi.com/bms/terms.php

--
+======================================================================+
    |\      _,,,---,,_     | Odhiambo Washington    <wash@wananchi.com>
Zzz /,`.-'`'    -.  ;-;;,_ | Wananchi Online Ltd.   www.wananchi.com
   |,4-  ) )-,_. ,\ (  `'-'| Tel: +254 20 313985-9  +254 20 313922
  '---''(_/--'  `-'\_)     | GSM: +254 722 743223   +254 733 744121
+======================================================================+
Real programmers don't bring brown-bag lunches.  If the vending machine
doesn't sell it, they don't eat it.  Vending machines don't sell
quiche.
Received on Thu May 18 2006 - 06:45:39 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Jun 01 2006 - 12:00:02 MDT